Standards Are Only Open If They Protect Security and Interoperability

Standards Are Only Open If They Protect Security and Interoperability

The Open Source Initiative, a nonprofit that certifies open source licenses, has adopted an important principle about standards, DRM, and openness, and just in time, too.

The World Wide Web Consortium (W3C), which makes the core standards that the Internet runs on, is in the midst of a long, contentious effort to add "DRM" (Digital Rights Management1) to HTML5, the next version of the Web. Laws like the Digital Millennium Copyright Act (which has analogs all over the world) give companies the power to make legal threats against people engaged in important, legitimate activities. Because the DMCA regulates breaking DRM, even for legal reasons, companies use it to threaten and silence security researchers who embarrass them by pointing out their mistakes, and to shut down competitors who improve their products by adding legitimate features, add-ons, parts, or service options. The Web relies on the distributed efforts of independent security researchers, and its historic strength has been the ability of companies and individuals to innovate without permission, even when they were disrupting an existing business.

We tried to dissuade the W3C from adopting DRM, but failed. Now we're on to Plan B, a proposal modelled on the W3C's existing policies, which asks companies to promise not to sue security researchers or competitors for the mere act of breaking DRM. Companies still can sue anyone who hacks their users, violates their copyrights, or interferes with their service -- but they have to use laws specific to those activities. We call it a non-aggression covenant, and by signing it, companies only give up the right to sue people who've done nothing wrong. The covenant doesn't interfere in any way with all the rights companies get under other copyright laws, torts and trade secret laws.

No one's ever tried anything like this, because no open standards body like the W3C has ever tried to standardize something as divisive as DRM. Our solution is a new one, but it's also a good one.

Today, the Open Source Initiative validated our approach. They adopted a set of "Principles of DRM Nonaggression for Open Standards," based on our proposal to the W3C, telling standards bodies that their work can only be called "open" under OSI's definition if they take steps to protect implementers and security researchers:

An "open standard" must not prohibit conforming implementations in open source software. (See Open Standards Requirement for Software).

When an open standard involves content restriction technology commonly known as Digital Rights Management (DRM)—either directly specifying an implementation of DRM or indirectly consuming or serving as a component within DRM technology—the laws in some jurisdictions against circumvention of DRM may hinder efforts to develop open source implementations of the standard. In order to make open source implementations possible, an open standard that involves DRM needs an agreement from the standards body and the authors of the standard not to pursue legal action for circumvention of DRM. Such an agreement should grant permission to:

circumvent DRM in implementations of the open standard

distribute implementations of the open standard, even if the implementation modifies some details of the open standard

perform security research on the open standard or implementations of the open standard, and publish or disclose vulnerabilities discovered

We are deeply appreciative of the OSI's support for this approach. The core standards of the Internet are on a collision course with a notoriously bad law, and with their help, we may be able to steer it clear of the worst danger.

Related Updates

YouTube has taken a stand against a particularly pernicious copyright troll who was not only abusing the takedown system to remove content but was also using it in an extortion scam. While this gives the weight—and resources—of a large corporation in a fight that will benefit users, it also serves...

The Senate Judiciary Committee intends to vote on the CASE Act, legislation that would create a brand new quasi-court for copyright infringement claims. We have expressed numerous concerns with the legislation, and serious problems inherent with the bill have not been remedied by Congress before moving it forward. In...

A federal judge has ruled that litigation can go forward to determine whether Section 1201 of the Digital Millennium Copyright Act violates the First Amendment as applied. EFF brought this litigation on behalf of security researcher Matt Green, technologist bunnie Huang, and bunnie's company Alphamax, in order to...

We’re taking part in Copyright Week, a series of actions and discussions supporting key principles that should guide copyright policy. Every day this week, various groups are taking on different elements of copyright law and policy, and addressing what's at stake, and what we need to do to make...

How is the Internet different from what came before? We’ve had great art, music, film, and writing for far longer than we’ve had the World Wide Web. What we didn’t have were global conversations and collaborations that millions can participate in. The Internet has lowered barriers to participation in culture...

Every now and then we have to remind someone that it's not illegal for people to report facts that they dislike. This time, the offender is electric scooter rental company Bird Rides, Inc. Electric scooters have swamped a number of cities across the US, many of the scooters carelessly discarded...

Washington, D.C.—The Electronic Frontier Foundation won petitions submitted to the Library of Congress that will make it easier for people to legally remove or repair software in the Amazon Echo, in cars, and in personal digital devices, but the library refused to issue the kind of broad, simple and robust...

There’s a lot of talk these days about “content moderation.” Policymakers, some public interest groups, and even some users are clamoring for intermediaries to do “more,” to make the Internet more “civil,” though there are wildly divergent views on what that “more” should be. Others vigorously oppose such moderation, arguing...

Have you ever wanted to talk with the Electronic Frontier Foundation about the risks of talking in public about security issues, especially in connected Internet of Things devices? Tomorrow, you'll get your chance. Information security has never been more important: now that everything from a car to a voting...

Congress has never made a law saying, "Corporations should get to decide who gets to publish truthful information about defects in their products,"— and the First Amendment wouldn't allow such a law — but that hasn't stopped corporations from conjuring one out of thin air, and then defending it as...